DOC PREVIEW
NU MSIT 458 - Lecture Notes

This preview shows page 1-2-3-20-21-22-41-42-43 out of 43 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

OutlineObjectivesDenial of Service Attack DefinitionStatusTwo General Classes of AttacksSmurf DoS AttackDistributed DOSCan you find source of attack?Attack using Trin00Targets of AttackThe DDoS LandscapeAttack Tools Over Time(D)DoS Tools Over TimeSlide 14Slide 15TCP Connection ManagementTCP HandshakeTCP segment structureSYN FloodingSYN Flooding ExplainedFlood Detection System on Router/GatewayTCP Connection Management: ClosingDetection Methods (I)SYN – FIN BehaviorSlide 25Vulnerability of SYN-FIN DetectionDetection Method IIPreventing Denial of ServiceSYN CookiesBackup SlidesFalse Positive PossibilitiesSource Address ValidityAttack Rate DynamicsUp to 19961997199819992000Single host in DDoS2001Power bot20022003Outline•Definition•Point-to-point network denial of service–Smurf•Distributed denial of service attacks•TCP SYN Flooding and DetectionObjectives•Understand the concept of DoS attacks and its current threat trends•Understand the SYN flooding attacks and be able to detect at the network level and defense them (SYN cookie)Denial of Service Attack Definition•An explicit attempt by attackers to prevent legitimate users of a service from using that service•Threat model – taxonomy from CERT–Consumption of network connectivity and/or bandwidth–Consumption of other resources, e.g. queue, CPU–Destruction or alternation of configuration information•Malformed packets confusing an application, cause it to freeze–Physical destruction or alternation of network componentsStatus•DoS attacks increasing in frequency, severity and sophistication–32% respondents detected DoS attacks (1999 CSI/FBI survey)–August 6, 2009, several social networking sites, including Twitter, Facebook, Livejournal, and Google blogging pages were hit by DDoS attacks•Aimed at Georgian blogger "Cyxymu".–Internet's root DNS servers attacked on •Oct. 22, 2002, 9 out of 13 disabled for about an hour•Feb. 6, 2007, one of the servers crashed, two reportedly "suffered badly", while others saw "heavy traffic”•An apparent attempt to disable the Internet itselfTwo General Classes of Attacks•Flooding Attacks–Point-to-point attacks: TCP/UDP/ICMP flooding, Smurf attacks–Distributed attacks: hierarchical structures•Corruption Attacks–Application/service specific•Eg, polluting P2P systemsSmurf DoS Attack•Send ping request to brdcst addr (ICMP Echo Req) •Lots of responses:–Every host on target network generates a ping reply (ICMP Echo Reply) to victim–Ping reply stream can overload victimPrevention: reject external packets to brdcst address.gatewayDoSSourceDoSTarget1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr3 ICMP Echo ReplyDest: Dos TargetDistributed DOSHandlerAgent Agent Agent Agent Agent Agent AgentAgent Agent AgentVictimUnidirectional commandsAttack trafficCoordinating communicationBadGuyHandler HandlerStacheldraht is a classic example of a DDoS tool.Can you find source of attack?•Hard to find BadGuy–Originator of attack compromised the handlers–Originator not active when DDOS attack occurs•Can try to find agents–Source IP address in packets is not reliable–Need to examine traffic at many points, modify traffic, or modify routersAttack using Trin00•In August 1999, network of > 2,200 systems took University of Minnesota offline for 3 days–scan for known vulnerabilities, then attack with UDP traffic–once host compromised, script the installation of the DDoS master agents–According to the incident report, took about 3 seconds to get root accessTargets of Attack•End hosts•Critical servers (disrupt C/S network)–Web, File, Authentication, Update–DNS•Infrastructure–Routers within org–All routers in upstream pathThe DDoS LandscapeHighLow1980 1985 1990 19952001password guessingpassword crackingexploiting known vulnerabilitiesdisabling auditsback doorshijacking sessionssnifferspacket spoofingGUIautomated probes/scansdenial of servicewww attacksToolsAttackersIntruderKnowledgeAttackSophistication“stealth” / advanced scanning techniquesburglariesnetwork mgmt. diagnosticsdistributedattack toolsbinary encryptionSource: CERT/CCAttack Tools Over Time(D)DoS Tools Over Time•1996 - Point-to-point•1997 – Combined w/ multiple tools•1998 - Distributed (small, C/S)•1999 - Add encryption, covert channel comms, shell features, auto-update, bundled w/rootkit–trin00, Stacheldraht, TFN, TFN2K •2000 - Speed ups, use of IRC for C&C•2001 - Added scanning, IRC channel hopping, worms include DDoS features–Code Red (attacked www.whitehouse.gov)–Linux “lion” worm (TFN)•2002 - Added reflection attack•2003 – IPv6 DDoSOutline•Definition•Point-to-point network denial of service–Smurf•Distributed denial of service attacks–Trin00, TFN, Stacheldraht, TFN2K•TCP SYN Flooding and Detection/Defense•90% of DoS attacks use TCP SYN floods•Streaming spoofed TCP SYNs•Takes advantage of three way handshake•Server start “half-open” connections•These build up… until queue is full and all additional requests are blockedSYN Flooding AttackTCP Connection ManagementRecall: TCP sender, receiver establish “connection” before exchanging data segments•initialize TCP variables:–seq. #s–buffers, flow control info (e.g. RcvWindow)•client: connection initiator•server: contacted by clientThree way handshake:Step 1: client host sends TCP SYN segment to server–specifies initial seq #–no dataStep 2: server host receives SYN, replies with SYNACK segment–server allocates buffers–specifies server initial seq. #Step 3: client receives SYNACK, replies with ACK segment, which may contain dataTCP HandshakeCSSYNCSYNS, ACKCACKSListeningStore dataWaitConnectedTCP segment structuresource port #dest port #32 bitsapplicationdata (variable length)sequence numberacknowledgement numberReceive windowUrg data pnterchecksumFSRPAUheadlennotusedOptions (variable length)URG: urgent data (generally not used)ACK: ACK #validPSH: push data now(generally not used)RST, SYN, FIN:connection estab(setup, teardowncommands)# bytes rcvr willingto acceptcountingby bytes of data(not segments!)Internetchecksum(as in UDP)SYN FloodingCSSYNC1 ListeningStore dataSYNC2SYNC3SYNC4SYNC5SYN Flooding Explained•Attacker sends many connection requests with spoofed source addresses•Victim allocates resources for each request–New thread, connection state maintained until timeout–Fixed bound on half-open connections•Once resources exhausted,


View Full Document

NU MSIT 458 - Lecture Notes

Documents in this Course
Snort

Snort

25 pages

Hacked

Hacked

23 pages

Hacked

Hacked

6 pages

Firewalls

Firewalls

52 pages

Load more
Download Lecture Notes
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture Notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture Notes 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?